1. Field of the Invention
The present invention generally relates to the protection of information contained in an integrated circuit, for example, in a smart card or the like, with or without contact. The present invention more specifically relates to the protection of critical information contained in an integrated circuit of a smart card or the like against attacks aimed at preventing the card from being disabled after a fraud attempt detection.
2. Discussion of the Related Art
FIGS. 1A and 2A very schematically show an example of a smart card system 10 (FIG. 1A) with contacts, of the type to which the present invention applies. Card 10 supports an integrated circuit chip 20 capable of communicating with a terminal 30 (FIG. 2A) via contacts 21. When card 10 (FIG. 2A) is introduced in a slot 31 of the terminal, contacts 21 of card 10 enter in electric relation with other contacts 32 of terminal 30 to communicate with a computer system 33 thereof.
FIGS. 1B and 2B very schematically show an example of a contactless electronic card or label 10′ (FIG. 1B) of the type to which the present invention applies. In this case, integrated circuit chip 20 supported by electronic label 10′ is connected to an antenna 21′ forming the inductive element of a resonant circuit of the transponder thus formed. This antenna 21′ is intended to communicate by close magnetic coupling with an antenna 31′ of a terminal 30′ when label 10′ (FIG. 2B) is in the electric field radiated by antenna 31′. Antenna 31′ is connected to a computer system 33 of terminal 30′. Electromagnetic transponder 10′ may be brought to a smart card, the antenna being then generally formed of a planar conductive winding supported by the card. It may also be a dual smart card combining the communication functions with and without contact.
FIG. 3 very schematically shows in the form of blocks elements of an integrated circuit chip 20 of the type to which the present invention applies equipping, for example, a smart card with or without contacts.
Integrated circuit 20 forms a microcontroller comprising a central processing unit 22 (CPU) communicating via a bus 23 with different memories, among which at least a memory 24 (ROM), for example, a read-only memory or a FLASH memory, for storing programs to be executed, a RAM 25 used in the execution of programs, and a non-volatile rewritable memory 26 (NVM) (for example, an EEPROM). Chip 20 also comprises input/output ports (I/O COM) 27 towards the outside. These input/output ports are connected either to contacts (for example, contacts 21 of a smart card—FIG. 1A), or to a contactless transmit element (for example, antenna 21′ of an electromagnetic transponder—FIG. 1B).
FIGS. 4A and 4B very schematically illustrates the operation of a program having at least one portion processing critical information (for example, one or several secret keys or cryptography algorithms) undergoing an attack attempt by a hacker aiming at obtaining all or part of the critical information.
After a reset of the circuit microprocessor (20, FIG. 3) of the concerned smart card, different processings are implemented by its central unit according to applications. It is assumed that in the development of its main program (FIG. 5A), a so-called critical section 1 (CRITSECT) processing critical data (for example, key, secret code, or algorithm) to be protected, that is, that must be prevented from coming out from the integrated circuit in which they are to be found, intervenes. This amounts to avoiding the data output through the input/output interface (27, FIG. 3) with or without contact of the integrated circuit when a disturbance is detected.
It is assumed that, in the development of critical section 1, an attack ATT coming from a person attempting to fraud by discovering the card's secret occurs. Such an attack may take different forms. For example, the case in point may be to introduce a disturbance into the component to cause an instruction jump in the development of the critical section and thus obtain the data. The case in point may also be to disturb the execution of the critical section by luminous excitation or to introduce a drift in the component clock. Since the hacker does not, in principle, have access to the program executed by the actual component, such attacks generally cause a physical disturbance on the component.
Conventionally, the protected integrated circuit chips are capable of detecting a hacking attempt within a critical section. This detection (ATTDET) of an attack may take different forms. For example, it is known to detect in hardware fashion a drift in the component clock, the occurrence of a significant luminous excitation or of an electric disturbance on the integrated circuit. In software fashion, the execution of the critical section may be protected by a periodic checking of the software code based on an authentication key stored in a memory of the integrated circuit. Such a calculation is generally called a signature calculation to check the proper execution of the software code in uninterrupted fashion. In the case of an interrupt, the signal is not checked, which enables detection.
Traditionally, after detection of an attack on an integrated circuit chip, the data output from the card must be prevented. To achieve this, the program for processing the disturbance detection generates a card blocking action (REACT). This action generally translates as the writing or the deleting of one or several bits in a rewritable non-volatile memory (26, FIG. 3), for example, of EEPROM or FLASH type. The object of this action is to disable any subsequent operation of the chip to prevent the hacker from repeating his attack. Indeed, an attack must be repeated several times on a same component to enable discovering the secret of an integrated circuit. This repetition and the analysis of the results provided after the interrupts are generally statistically processed based on assumptions made by the pirate to discover the circuit's secret.
A problem which arises is that this action (REACT) generally translates as a strong electric signature of the component (higher power consumption of the integrated circuit), which enables the hacker to detect the attempt to write into the non-volatile memory during the critical section. Such a detectable signature enables the hacker to abruptly interrupt the provision thereto of any signal enabling it to carry on its software execution. The hacker then prevents the card blocking, which enables him to repeat his attack such as illustrated in FIG. 4A. He repeats the attack, possibly by modifying one or several parameters, until one of these attacks succeeds in not being detected and data are then provided by the circuit.
FIG. 4B illustrates, in the form of a very simplified timing diagram, such a reaction of a person attempting fraud after an attempt to block the integrated circuit.
Whatever the action taken by the card, this action will take some time before reaching the blocking. The example of FIG. 4B illustrates the duration of a command, for example, for writing into an EEPROM, starting at a time t0 (START REACT) to end in principle at a time t1 (END).
A hacker, knowing that his attacks are likely to be detected by the smart card, watches over the electric signature of the card to detect a significant variation in the execution of a critical section (SIGN DETECT). For example, this detection occurs at a time t2 before the end of the execution of the control by the card. After this detection, the person attempting to fraud almost immediately stops (time t3, STOP) any operation of the card to prevent the blocking from being complete.
Of course, such actions are in practice automatically performed by a tool programmed for this purpose, which enables fast reaction. In the case of a smart card with contacts, this amounts to abruptly interrupting all contacts between card 10 (FIG. 1A) and its reader 30 (FIG. 2A) to deprive it from any power supply and clock signal. In the case of a contactless card 10′ (FIG. 1B), this amounts to an immediate suppression of any radio-frequency transmitted by reader 30′ (FIG. 2B) depriving the card from power supply and clock.
The present invention will be described hereafter in relation with an example of application to smart cards with contacts. It should however be noted that it more generally applies not only to contactless smart cards but also to any electronic element containing a microcontroller integrating one or several memories likely to contain information which are desired to be protected against piracy attempts by repetition of attacks and actions aiming at preventing the blocking of the integrated circuit by detection of an electric signature thereof.